If I browse the internet or ask AI, I get reasons for and against to have Secure Boot enable. I had secure on and it was a pain in the a** to boot Ventoy or Clonezilla, so now I have secure boot disable. I don’t boot either one very often so I was thinking maybe I should turn secure boot back on.
Do you have secure boot on or off? And maybe add why you chose that option.
Right now I have secure boot off and it is much easier to boot a live OS like Ventoy, another Linux Distro, or Clonezilla.
My computers are too old to have secure boot. So it is effectively off.
I seem to get by without it.
I think it is unlikely that someone would invade my home armed with a live usb drive , boot my computer , and find there is nothing there worth stealing.
I didn’t enable it. I’m running legacy hardware (Z97-K mobo) and older hardware can be finicky with secure boot.
Also, it’s a desktop. If someone’s in the house on the desktop, chances are I have bigger problems 
I have read that secure boot can “Blocks rootkits, bootkits, and other malware …” so maybe not just someone having physical access to the PC? I heard that Linux is not as exposed to malware so maybe not needed as much.
This answers some of the more general questions.
I think it is unlikely that someone would invade my home armed with a live usb drive , boot my computer , and find there is nothing there worth stealing.
It is my second line of defense for my Linux Kernel Panic 
to retrieve all my data
Secure boot was invented for OS’ which are a security nightmare. Most Linux distributions have at least reasonable security in place to protect the root account, and hence the boot partition.
I see no need to turn it on.
That does not stop someone using a live usb if they can physically access the console.
Root in a live usb can access anything.
They could have solved it far easier by putting a lock and key on the keyboard… like the ignition key on a car.
Headless servers dont need secure boot, as far as I can see.
You have been watching too many spy moves where they put in a usb and take over the world Mr Bond !
just to clarify definition of bootkit- traditional/legacy bootkits often needed physical access. However, modern type (especially UEFI bootkits) can be installed remotely. -they gain admin/root privileges remotely-. (ex. remote rootkit installs remote bootkit.) It’s all about getting administrative privileges. Linux (for the most part) is better at protecting against unknown use of admin/root privileges.
Also significantly less attacks on Linux systems vs Microsoft.
Secure Boot was essentially built to solve a big Windows problem. It helps Linux some- But it was a major push by Microsoft.
I have seen that there are passwords that you can put into BIOS. An admin and a user password. But that would be a real pain in the a** to have a PW for each time you started the PC.
But then, if a person have physical access to the PC, I suppose they could always take out the cmos battery to reset everything.
Not always the case, some fabricateur the motherboard with capacitors to replace the battery and they are a right pain to unsolder, occasionally there is a jump switch you can use that does the same.
A software solution to what was essentially a hardware problem. They should have put a physical lock on the computer to prevent illegal access.
Yes., but without locking BIOS/UEFI with a password, it is trivial to disable secure boot. Hence the old argument about security if I have physical access. I have secure boot on (I am not paranoid, they are out to get me). It is a pain when a kernel upgrade bollocks up Vmware and I have to do the MOK stuff. If you have stuff to protect, I guess it is best to encrypt the drive. I do that with a NAS running openmediavault, I have one drive encrypted and one not. I believe that it is cruel to foist Windows onto a poor unsuspecting computer so I run it in virtual machines. Both on Debian and ESXi. I still do a little programming and no one would test my stuff on a live system.
It is quite easy to encrypt a few selected files, rather than a whole drive.
True. I have one nvme drive that is encrypted. I have it in a USB enclosure, I like that I can leave it attached but not mounted for an “air gap”. Openmediavault handles it well.
Many infosec professionals fail to answer the question: “Secure from WHAT?”
Security from Boot Sector viruses and Physical Access by malicious actors are what the mission statement reads, and close vendor support with hardware manufacturers is what made SB a near-universal presence on modern hardware, especially portable hardware.
You have to give Microsoft some respect for making TPM integration and BitLocker performance levels nearly invisible to the end user. SB is their standard, and it’s been a few years since their root certificates (the basis for all encryption) have been compromised or spoofed.
That said, in the FOSS universe, it’s been kind of hit-and-miss seamless-ness for the past few years. SystemD-boot (gummiboot) and rEFInd can both work, with a bit of tweaking, and Windows 11 can be installed on Virtual Hardware with virtual TPMs, even if the host machine doesn’t have the required TPM and CPU support.
Roll your own keys and boot Arch? Why not! But if it’s the only OS you plan to boot, and you have full control to the BIOS/UEFI settings, I’d argue,as the coffee shop guy used to yell to the baristas when I would order a ‘decaf espresso’: “One whats-the-point”!
That may be so if you use Microsoft products.
They are making it more diffucult for users who wish to use other software.
I hope we will always be able to turn off secure boot. I dont want the additional boot complications. My security consists of not having anything worth securing.
Security is a materialistic problem. Stop hoarding things. What you should value is the beauty and creativity of your system and how it can be used to help others.
“It is the preoccupation with possessions, more than anything else that prevents us from living freely and nobly.” ― Bertrand Russell
“The materialist is sure that history has been simply and solely a chain of causation, just as the [lunatic] is quite sure that he is simply and solely a chicken. Materialists and madmen never have doubts.”
G.K. Chesterton, Orthodoxy
More motherboards have no options to disable secure boot.
That is disappointing.
We need to be more vocal about wanting that option.